Posted
by
timothy
on Tuesday September 05, 2000 @07:59PM
from the never-as-simple-as-it-seems dept.

A few words from HP on the Linux-based but Linux-unfriendly print server (read gently, and be thankful for small blessings); happy news from the "the NSA secretly controls PGP and its creator" front; more detail on the sordid, awful things that the MPAA used to say about VCRs, and an online Linux magazine for those who like read in 5 languages at once. (phew!)

Sheesh! All the guy ever promised was pretty good security! :)
zenith744 writes: " Now available here is PGP v6.5.8, which appearently "...corrects a security-related bug with Additional Decryption Keys (ADKs) that may allow sophisticated attackers to add unauthorized ADK key IDs to the unhashed areas of PGP public keys...". This bug was previously brought to light about a week ago and reported on slashdot. A little more security, a little less stress. A happily balanced equation."

And an unnamed reader points to a story on Network Fusion about Zimmerman's response to the hubbub. Paraphrased: "It was a bug. We're embarrassed about it. Now it's fixed." In an imperfect world, you gotta admit that PGP is one of the bright spots.

It's always "wait a minute," isn't it?
Tjisana M. Lewis, Product Manager, Emerging Products World-wide Business Management at Hewlett Packard (and who hopefully doesn't have many middle names to remember) wrote in response to the article on Slashdot recently about HP's new print server which runs Linux internally but does not support LDP client printing: "I've read some of the responses and (understandably) there is much speculation on WHY we did not
support LPD client printing in the product's first release." She sent the following response, which strongly hints at better Linux support in the future for this product.

"The JetDirect 4000 Print Appliance can send print jobs to any LPD enabled
destination whether such destination is a Linux box, JetDirect print server,
or any other vendor's print server. Currently the JetDirect 4000 does not
receive LPD print jobs, however in a few months, this [and other features]
will be available in a free firmware upgrade.

As a vendor with a Linux based product, HP is extremely committed to
supporting the Open Source community. We support developers in the Samba
team including Jeremy Allison and Andrew Tridgell by contracting with both
VA Linux and Linuxcare to develop features for the print appliance. These
features are part of the Samba project and will be available to everyone
under the GPL. An example is NT Printing functionality that will enable the
use of native NT tools and features such as "point and print." Point and
print enables automatic downloading of a print driver to a Windows client
when the client adds a printer.

Furthermore, HP, in working with SAMBA, adds testing resources during the
development process of the release thereby increasing the final quality of
the release."

Care for some salt with your wound, Mr. Valenti?Master of Kode Fu writes: "The New York Times has an article quoting MPAA President Jack Valenti saying this: "[it] is to the American film producer and the American public as the Boston Strangler is to the woman alone." He wasn't talking about DeCSS, Napster, Scour, FreeNet or Gnutella -- he said it in 1982 and he was talking about VCRs. He didn't see that VCRs would eventually become as important an income stream for films as box-office sales. Will the MPAA (and similarly, the RIAA) learn from historical precedent, or is file sharing over the 'Net a completely different case with different circumstances?"

Isn't it funny how the fight to prevent consumer taping went away when the companies involved realized that what VCRs really represented was a whole new way to make money? Hmmm. Extend, project, extrapolate ... I smell money here, too. Don't they?

Contribute to the death of excuses! The excuses not to at least try Free software keep dwindling, and it's nicer than strangling dodo birds. Remember when "But there aren't any books!" was a valid complaint about Linux? How about "I can hire MSCEs and know they have at least some knowledge of the systems they purport to administrate -- but there aren't Linux equivalents!"? That one's gone too, for better or for worse. And now, if your boss (or spouse) grouses that there aren't any free, multilingual Linux journals online, not only do you know their excuse barrel is near empty, but you can point them to ... well, let Atif Ghaffar explain:

"LinuxFocus (LF) is a multilingual magazine about the operating system
Linux.

LF is managed and produced by Linux volunteers, fans and developers.
There is no subscription necessary to read LF, it is freely
available on the web with mirrors all over the world.

Oh, maybe you meant, that he said thing that were not technically true ? Well, he don't mind. Incorrectly yelling that VCRs were going to eat the business enabled the MPAA to get better legal options to make more money from VCRs.

Do you really think that he doesn't know that half of its recent deposition was pure bullshit ? (Don't have the link handy, but, well, he obviously lie beyond belief).

Where did you read that beeing sincere would be a plus for running the MPAA ? Do you think thy plan *not* to make money with the internet ? Shareholders are probably happy. MPAA defend their corrupted business in order to make more money. The can lie to anyone they want (but to the shareholders...)

what printers were these? the workgroup laser printers just work out of the box (and quite nicely), at least on unix networks (i would be surprised if they did not work on windows, but we programmed and tested them in a unix environment)

The asterisk isn't usually intended as a trademark avoidance method; it's usually a globbing character. Due to Bell Labs' enforcement of their trademark on "Unix", most Unix workalikes were given "Unix" soundalike names that ended with some of the same characters as "Unix". (e.g. Ultrix, Xenix, AIX, HP/UX, even Minix and Linux (although the latter names probably stemmed more from the by-then tradition of names sounding like "Unix", not directly from worries of trademark infringement))

--Phil (Yes, most of those names don't end in "nix". It's the spirit of the thing that counts.)

Don't bitch about HP too much... I had the "joy" of installing an office full of Xerox "network ready" printers...

Not a single one of them was plug-n-play like an HP with a JetDirect. I had to get a Freeware utility that emulates the LPD service on a Windows machine to communicate with them. Of course, this had to be installed on EVERY Windows machine, and NOWHERE did it say this was necessary in the documentation or on the Web site. The software wasn't even from Xerox.

Bah. Curse 'em or not, I stick by HP in general... But as for using Linux to create a print server and then blatantly NOT support LPD... That's really just... Wrong. Sorry, but based on that alone (that it doesn't support LPD) I would not buy this product. But you do have to look at who it's targeted at.

You just mixed a couple interesting stories and the end result is noise. I don't know (or care) if the/. editorial policies have changed lately, but could you care to explain what's wrong with giving the stories their own post? I really can't picture someone coming to/. for news anymore, the real "value" now is the comments. Everybody else and their dog is doing better than/. at keeping people current on Linux events, but everybody else's (and their dog's) forums suck. Slashdot sucks, but just a mutt, it sucks less. You have it right there: news for nerds. stuff that matters. Don't try to be a news agency, you are not.

Well, how about 20million+ Linux/OSS-OS installed machines with no software DVD player?

*Keeping in mind* there is _NO_ copy protection WHATSOEVER for DVDs. There is no mechanism at all to stop anyone copying a DVD they own (providing they also already own an artificially expensive DVD burner). That is *not* what this is about!

Were the MPAA not the pig-headed, reactionary, greedy, grasping, exploitative blood-sucking scum that they are, they would be already reaping the benefits of an extra 20mil players for their god-forsaken media format.

Technically this article isn't quickies, as you would have quickly discovered had you actually read the title, the dept., and/or the blurb from Timothy. This is in fact a slashback section, which contains updates on stories which were previously seen on/. So it's not Timothy's fault that several interesting stories had updates; that's just the news biz.

The large scale houses which just press bit-for-bit copies of DVDs are only one venue of piracy.

As far as the DeCSS enabled piracy goes, there is the risk of large scale piracy by dealing in downgraded versions of movies copied from the DVD and then compressed and encoded onto CD-ROM using the like of DIVX. These become cheap to produce, small enough to exchange over high speed Internet connections, etc. The quality is not as good as the orignal DVD but may still eat into sales of those DVDs.

This does not detract from all the arguments FOR DeCSS, but I hope it better explains what the risk to the movie producers is.

It's not DeCSS - it is the concept of having digital content not protected by stupid access restriction schemes. Dropping this would encourage the much wider availability of DVDs, and even DIVX encoded content - I wouldn't mind paying a dollar or 2 to download a DIVX copy of a movie to check out...

Your secret key is not secured by your password, it is secured by a hash of your password. Several different passwords or passphrases may hash to the same value This leaves you open to what is known as a Birthday attack. If you look at the source code for whatever version of PGP you are using you will be able to tell what hash function is being used. In the case of all PGP versions that use the old V3 keys (that I could find) this is MD5. The MD5 algorithm is clearly described in RFC1321
these RFC's are definately worth the read if you are serious about security. I read an article a while ago where the police were trying to break someones password to get evidence for a trial. The article said that after a long time trying to crack it, they finally found the only password that would unlock the file was "a hole in one!". If the bad guys had hashed the password with MD5 the police would have been able to crack it much quicker. I don't have a problem with someone who has a proper warrant being able to crack my keys. What I do have a problem with, is some private dick being able to grap the keys off my harddrive, crack the keys with a PC and sell the unlocked contents to the highest bidder. Common sense precautions should prevent this from happening, but there are still a lot of badly installed PGP programs out there.

With other operating systems such as Apple or Windows you get a descrambler. It would be almost as easy to copy the output from a licensed Windows descrambler that comes with every DVD device, as it would be to copy the output from DeCSS. I think a case should include a clearer intent to distribute in order to prosecute.

So the solution then is to go back and use the old V3 keys with versions 2.6.2 or 2.6.3? If people do, they need to remember to keep their keys off of their hard drive. The older dos versions of PGP used MD5 to protect the secret ring. I have heard security experts recommend switching to a stronger hash function at least SHA if not Tiger. PGP is the only commonly used encryption standard we have. As it is, very few people use it. It would be ashame if we scared people away from using it to the point where "----- BEGIN PGP" became an automatic CARNIVORE snak.

Basically, a "free" machine. I was rather un-impressed with its performance until I discovered that it was running Apache, MySQL, Sendmail, and a whole TON of other services.

I was STUNNED!

It ran for ~ 7 months, 24x7, with NO PROBLEMS other than configuration.

I was STUNNED!

But, if I had gone in thinking this was going to be a replacement for Windows, I would've been skeptical from the get-go.

It replaces Windows on the SERVER side. It's almost OK as a client. (I use it, but mostly because I like to work in *nix when writing code for my *nix server)

What's perhaps funny is that although my main workstation is a pretty decent 400 Mhz system w/16 MB AGP card, 13 GB Hd, etc., the server on which I test and demo all my work is a P-100 w/2gb HD and a couple of NICs - not even a monitor or mouse to its name!

1) what are you talking about PGP runs on many platforms including Linux.
3) speak for yourself... I would not
4) If you believe that - you should wear a big
sign saying "I need a cavity search" - after all
you have nothing to hide, freaking moron. Why don't you crawl into a time machine and go back to the USSR.

Give them an old pentium 100 to play with. They will always look down upon linux.

In my office, I had 1 extra pentium 90, and one very whiny coworker always complaining about windows crashing. I said "try this", and he willingly did so.

A few days later, he wouldn't touch the thing. Because it was too slow obviously it's faster than windows 98 on the same computer, but he didn't seem to realize that. Instead, he installed star office, and compared it to how fast microsoft office ran on his Pentium III 500.

I tried, but I could not seem to explain to him the gigantic performance difference between the two computers and how it was relevant.

In other words, help others out, but don't get them to expect a damn miracle. Use those old computers for masq gates and stuff, demo linux on high performance hardware.

I think that was quite possibly the most intelligent set of comments/attitudes I have seen from anyone in the open source community in some time.

Thank You

Lately its seemed that a lot of people have been loosing sight of just why they do things. GNU/Linux and the rest of the free *nix family were built on people doing something because they loved it, because it was challenging and fun. In recent time's it has started to degrade into in to a badge, a status symbol for people to wear on there sleeves to say "hey, look, I'm special, I use/develop for Linux.". This is not how it should be. The "community" isn't some elite group, it isn't something that should be distilled down to a business model. Its a family of like minded individuals doing something because they love it.

I think I'd like everyone in the community who has since moved Linux from a hobby to a career to look in the mirror at least once a day and ask themselves, just as the average professional athlete must, "Why do I still play the game? Do I do it for the love or for the money?".

What has ALWAYS boggled me is all those shareware authors expecting to be paid for totally useless crap... ok I would want to pay for something really useful or something really fun, especially if it's only a few bucks... but when I was a mac user I found that shareware that allowed you to drag your windows transparently. Completely useless, extremely slow (esp. at the time), utterly crash prone, and with an obnoxious alert box at every startup to remind you of paying... 10 bucks, that's it, for a complete piece of shit. This kind of program has a hack value, but the value is to its author. That's it.

If the bad guys had hashed the password with MD5 the police would have been able to crack it much quicker.

Why is this? Clearly searching by brute force, using the assumption of a low-entropy password (ie. ascii characters, and dictionary words) would be quicker than a brute force MD5 match (ie. finding a key that hashes to the same value as the original key). To my knowledge, MD5 has never been shown to be a weak hash (ie. it has appropriate collision properties, and while 128 bits is not as great as SHA-160, it should be more than adequate for protecting simple passphrases)

Did anyone else notice that the JetDirect box was actually to translate an SMB printing connection into an LPD printing connection to allow simple Windows printing on printers which only had LPD support?

Admittedly, it is nice to have all your printing going into the same queue, so that Unix Print jobs don't ignore prioritization, but that's not what their JetDirect box seemed to be intended for. It looks like more of a small business plug and play SMB->LPD translator.

Adam (Who uses SaMBa printing to an NT server and is quite happy with it)

Well, I decided that I would finally get my stuff together and build my own system (yeah, like how hard is that?). So I read review after review on motherboards, cpus, video cards, etc. I got an AMD K6-III 400, an Asus P5a, Creative sound and video card, and cdrom, and standard 3Com NIC and modem. I decided I'd give Windows 2000 a spin because I use NT at the office, and wanted to be one of the ones on the block experimenting with Windows 2000. Well, I don't know if it is my hardware, but that Windows 2000 box is an unstable piece of shit. Totally unstable. Getting it installed was a nightmare...had to do it twice because of some goddamn BIOS option that was causing Windows to lock up on boot. I have a big honking fan over the cpu but the machine seems to still randomly reboot. My cdrom drive broke just a day or so ago and the damn machine rebooted in the middle of my writing an email to get it replaced. I get blue screens frequently. Games won't install (but stupidly if copied from another windows 95 machine, work just fine).

Moral of the story: if you are installing a windows product either make damn sure all your hardware is on the compatibility list, and then hold your breath, or pay premium and buy retail and hope you're not saddled with low quality components.

What HP really has to say is: Stop whining, we're putting a lot of good work into the SAMBA project, so accept that. You're right, we didn't want to spent millions of dollars re-training our support staff, when 90% of Linux installations have a knowledgable tech either on hand or a phone call away, who will probably get your Linux machine to work with our appliance. Thanks everyone for Linux, though. We hope the next version of SAMBA makes your lives a bit easier.

Jesus! Jack Valenti is still running the MPAA 20 years later. You would think that after being sooo wrong about VCRs, he would have got the boot. It looks like the MPAA is so corrupt that they would rather institutionalize stupidity than learn from their mistakes. If I were a shareholder in any of the MPAA member companies I would be furious.

Yup!
I bought a copy for the Mac a couple of months before OS 9 came out. When it did a incampatability cropped up and I needed an upgrade. I call them and ask if there will be a free upgrade. Nope. I ask if there's a upgrade discount like most software. Nope. They actually wanted me to pay the full price again after just a few months! I'll never buy anything off them again.

I've pretty much gone back to Windows since playing around with Linux. It had some nice features (the stability was great, and programming simple programs with gcc was a breeze), but I couldn't stand not running my favorite apps, and the GUI left a lot to be desired.

I've now started using Windows 2000, and am pretty impressed. It does crash, but it's a well-documented visual bug (playing around with OpenGL with beta Voodoo 3 drivers), and only if I attempt a set group of tasks. It runs games extremely well, in some cases better than their Windows 98 counterparts (e.g. Unreal Tournament). I also can use Visual C++ to quickly create W32 apps, and list them as shareware for hundreds of millions of "normal" computer users to use (instead of just Freshmeat users, which though cool, don't represent the average user).

Close, but you seem to have missed a big part of the HP response. What I got out of it was: Stop whining, the feature you guys were bitching about (not being able to print to this thing from Linux) will be there soon via a free firmware upgrade. Oh and BTW, we are pumping money into SAMBA... etc.

How, pray tell, can the MPAA make money with DeCSS?
At least, with VCRs, the answer was pretty freaking obvious.

Obviously, it wasn't at the time (early 80's)...

How can they make money with DeCSS? Dunno. I'm not a marketdroid. A first guess would be to increase their market penetration for legally purchased DVDs.

Besides, who says it has to be the MPAA making money off of the DeCSS source code? Why couldn't a company create a DVD add-on for the HandSpring or WinCE in the future? How about a selling and supporting DVD playback capability for less than a licence from the DVD-CCA? Hey, maybe there's a market for some T-Shirts with source code on them! The possibilites are endless.

Don't dismiss what corporate -insert country here- can think of to make money when they are forced to actually think about product development rather than sit back and milk an existing monopoly/product line.

I don't use it, and won't use it. Their liscensing is too restrictive. I'd much rather use the German produced GnuPG [gnupg.org]. Better liscensing, more standards compliant, and they don't put stupid features like ADK in to satisfy Big Brotherish commercial interests.

Nice of the PGP folks to provide a fix for those using the freeware version of PGP. However, if you were one of the suckers who purchased PGP for commercial use, Network Associates requires that you *purchase* an upgrade to fix the problem. Seems to me that with a major blunder like this, they owe me a fix at no charge.

Date: Mon, 28 Aug 2000 22:29:56 -0400
From: Nemo
Newsgroups: alt.privacy.anon-server
Subject: Think Twice before installing PGP 6.5.8
If you want to install an updated PGP to fix the ADK issue, you might want
to read this message thread over in comp.security.pgp.discuss
Apparently, NAI's solution is to hide the problem from the user. The
updated PGP won't use a forged ADK, but it also will not show you that a
key has a forged ADK; a forged key will appear to be valid with no ADKs at
all. Consequently, the "view->ADKs" menu option is no longer useful for
detecting keys with forged ADKs.
This fix is a Public Relations fix, not a bugfix. The ADK problem is a
major design flaw, not a simple bug. It cannot be reliably fixed by what
NAI is doing. This update show a fundamental misunderstanding of what the
real problem is and makes me question whether NAI really wants to fix this.
--
Nemo -:- nemo@redneck.gacracker.org
"For those with more memory than 8 Mb - tough luck.
I've not got it, why should you." - Linus Torvalds
(from the linux kernel source code, circa 1991)

Because the MPAA represents makers of movies, who will benefit because more people will be able to play DVDs and thus have an incentive for buying them. The CSS system limits what systems can be used to play a DVD, the DeCSS code circumvents this so that drivers can be written for platforms the drive vendors don't consider "lucrative" because then they have to pay lots of money to the consortium.

If they really cared about piracy they would go after the factories in China or wherever which spit out bit-for-bit copies of the DVDs, because - and this is what the recent lawsuits don't want you to think about: You don't need, and have never needed DeCSS to copy a DVD. You just need it to descramble the data for viewing. As a side-effect, you can take that stream and save it, but you could do that with any video stream, even if your descrambling driver was licensed from CSS.

Sadly, this goes unreported in the press, and you instead end up with ignorants like John Taschek [zdnet.com] voicing off after swallowing the "arguments" of the business - even if the MPAA does not benefit from CSS at all.

Having started with *nix in '96, I remember that there were many excuses not to try open source software. I had a friend tell me, here play with this on a 2nd partition or older machine. It's fun. You can learn UNIX for free.

I got slackware 3.0 (I may be off) and played with the command line for a while, just poking at things. I didn't care that the install was hard...it was fun! I was challenged to learn how computing worked at a deeper level. I was specifically told that I would spend many hours wrestling with things, but it would feel good at the end. I remember thinking...hey cool, this comes with a c compiler by default. Then when I got X running it was fun to tweak, and pop xeyes randomly on other peoples screens (causing a few lost shell accounts).

I think people are reluctant to try OSS today because of the way the community presents it. No one says anymore "hey, install this and see if you can learn *nix". Instead it is "This is faster, more reliable, easier to install, better than windows, and totally free." Obviously, this is quite a hefty claim for a win32er to take (true or not true), and so people will quickly become disillusioned at the first couple signs of trouble, and will not wish to work for a few hours learning how to compile soundcard support into a new kernel, or activate IP-Masquerading with additional modules.

If we said instead, "Hey try this on an old P100, it is fun to play with," we could let the OS try and prove itself. Without the hype, people might get turned on quicker. When I started, there was no concept of replacing windows, it was just another OS to accomplish things on. I only went full *nix in '98 when NT4 ate my partition table, and I went back to win98 this year because I missed the games, and Netscape4.0 does have issues.

Its true that win2000 and linux are closing in on each others turf, and this is going to cause sparks, but the attitude that should be fostered is to know BOTH win2000 and *nix inside and out, and take some pride in being knowledgeable in both spheres. Granted, everyone has a preferred environment, but discussion should focus more on getting things done, not "come to our side."

The more hype escalates, the more win32 users will loathe *nix. (also, win2k hype will make *nixers hate the win32 community, works both ways). People will find excuses, especially with the "conversion" attitude. The community needs to go back to "grab that old 486 from the closet and come play". As easy as setup and install is getting, excuses will go away when win32ers stop feeling threatened.